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Abstract. At Crypto'07, Goyal introduced the concept of Accountable 
Authority Identity -Based Encryption as a convenient tool to reduce the 
amount of trust in authorities in Identity- Based Encryption. In this 
model, if the Private Key Generator (PKG) maliciously re-distributes 
users' decryption keys, it runs the risk of being caught and prosecuted. 
Goyal proposed two constructions: the first one is efficient but can only 
trace well-formed decryption keys to their source; the second one allows 
tracing obfuscated decryption boxes in a model (called weak black-box 
model) where cheating authorities have no decryption oracle. The lat- 
ter scheme is unfortunately far less efficient in terms of decryption cost 
and ciphertext size. The contribution of this paper is to describe a new 
construction that combines the efficiency of Goyal's first proposal with 
a very simple weak black-box tracing mechanism. The proposed scheme 
is presented in the selective-ID model but readily extends to meet all 
security properties in the adaptive-ID sense, which is not known to be 
true for prior black-box schemes. 
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1 Introduction 

Identity-based cryptography, first proposed by Shamir [39], alleviates the need 
for digital certificates used in traditional public-key infrastructures. In such sys- 
tems, users' public keys are public identifiers (e.g. email addresses) and the 
matching private keys are derived by a trusted party called Private Key Genera- 
tor (PKG). The first practical construction for Identity-Based Encryption (IBE) 
was put forth by Boneh and Franklin [8] - despite the bandwidth-demanding 
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proposal by Cocks [17] - and, since then, a large body of work has been devoted 
to the design of schemes with additional properties or relying on different algo- 
rithmic assumptions [23, 5, 6, 35, 41, 7, 21, 13, 9]. 

In spite of its appealing advantages, identity-based encryption has not un- 
dergone rapid adoption as a standard. The main reason is arguably the fact 
that it requires unconditional trust in the PKG: the latter can indeed decrypt 
any ciphertext or, even worse, re-distribute users' private keys. The key escrow 
problem can be mitigated as suggested in [8] by sharing the master secret among 
multiple PKGs, but this inevitably entails extra communication and infrastruc- 
ture. Related paradigms [20,3] strived to remove the key escrow problem but 
only did so at the expense of losing the benefit of human-mcmorizable public 
keys: these models get rid of escrow authorities but both involve traditional 
(though not explicitly certified) public keys that are usually less convenient to 
work with than easy-to-remember public identifiers. 

In 2007, Goyal [24] explored a new approach to deter rogue actions from 
authorities. With the Accountable Authority Identity-Based Encryption (A-IBE) 
primitive, if the PKG discloses a decryption key associated with some identity 
over the Internet, it runs the risk of being caught and sued by the user. A-IBE 
schemes achieve this goal by means of an interactive private key generation pro- 
tocol between the user and the PKG. For each identity, there are exponentially- 
many families of possible decryption keys. The key generation protocol provides 
the user with a single decryption key while concealing to the PKG the family 
that this key belongs to. From this private key, the user is computationally un- 
able to find one from a different family. Hence, for a given identity, a pair of 
private keys from distinct families serves as evidence of a fraudulent PKG. The 
latter remains able to passively eavesdrop communications but is discouraged to 
reveal users' private keys. Also, users cannot falsely accuse an honest PKG since 
they are unable to compute a new key from a different family using a given key. 

Prior Works. Two constructions were given in [24]. The first one (that we call 
Qoyal-i hereafter) builds on Gentry's IBE [21] and, while efficient, only allows 
tracing well- formed decryption keys. This white-box model seems unlikely to 
suffice in practice since malicious parties can rather release an imperfect and/or 
obfuscated program that only decrypts with small but noticeable probability. 
The second scheme of [24] (let us call it goyal -2), which is constructed on the 
Sahai- Waters fuzzy IBE [35], has a variant providing weak black-box traceabil- 
ity: even an imperfect pirate decryption box can be traced (based on its in- 
put /output behavior) back to its source although traceability is only guaranteed 
against dishonest PKGs that have no decryption oracle in the attack game. How- 
ever, Qoyal-2 is somewhat inefficient as decryption requires a number of pairing 
calculations that is linear in the security parameter. For the usually required 
security level, ciphertexts contain more than 160 group elements and decryption 
calculates a product of about 160 pairings. 

Subsequently, Au et al. [4] described another A-IBE scheme providing re- 
trievability (i.e., a property that prevents the PKG from revealing more than 
one key for a given identity without exposing its master key) but remained in 
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the white-box model. More recently, Goyal et al. [25] modified the QoyaC-2 sys- 
tem using attribute-based encryption techniques [35, 26] to achieve full black-box 
traceability: unlike goyal-z, the scheme of [25] preserves security against dishon- 
est PKGs that have access to a decryption oracle in the model. While definitely 
desirable in practice, this property is currently achievable only at the expense of 
the same significant penalty as in goyal -z [24] in terms of decryption cost and 
ciphertext size. 

Our Contributions. We present a very efficient and conceptually simple 
scheme with weak black-box traceability. We prove its security (in the standard 
model) under the same assumption as goyal -z. Decryption keys and ciphertexts 
consist of a constant number of group elements and their length is thus linear 
in the security parameter A (instead of quadratic as in goyal -z). Encryption and 
decryption take (9(A 3 )-time (w.r.t. 0(A 4 ) in goyal-z) with only two pairing com- 
putations as for the latter (against more than 160 in goyal-z). 

While presented in the selective-ID security model (where adversaries must 
choose the identity that will be their prey at the outset of the game) for simplic- 
ity, our scheme is easily adaptable to the adaptive-ID model of [8]. In contrast, 
one of the security properties (i.e., the infcasibility for users to frame innocent 
PKGs) was only established in the selective-ID setting for known schemes in the 
black-box model (i.e., goyal-z and its fully black-box extension [25]). Among 
such schemes, ours thus appears to be the first one that can be tweaked so as to 
achieve adaptive-ID security against dishonest users. 

Our scheme performs almost as well as goyal-i (the main overhead being 
a long master public key a la Waters [41] to obtain the adaptive-ID security). 
In comparison with the latter, that was only analyzed in a white-box model of 
traceability, our system provides several other advantages: 

- Its security relies on a weaker assumption. So far, the only fully practical 
A-IBE scheme was resting on assumptions whose strength grows with the 
number of adversarial queries, which can be as large as 2 30 as commonly 
assumed in the literature. Such assumptions are subject to a limited attack 
[16] that requires a careful adjustment of group sizes (by as much as 50% 
additional bits) to guarantee a secure use of schemes. 

- It remains secure when many users want to run the key generation protocol 
in a concurrent fashion, goyal-i has a key generation protocol involving zero- 
knowledge proofs. As its security reductions require to rewind adversaries at 
each key generation query, security is only guaranteed when the PKG inter- 
acts with users sequentially. In inherently concurrent environments like the 
Internet, key generation protocols should remain secure when executed by 
many users willing to register at the same time. By minimizing the num- 
ber of rewinds in reductions, we ensure that our scheme remains secure in a 
concurrent setting. In these regards, the key generation protocol of goyal-z 
makes use of oblivious transfers (OT) in sub-protocols. It thus supports con- 
currency whenever the underlying OT protocol does. As already mentioned 
however, our scheme features a much better efficiency than goyal-z. 
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— In a white-box model of traceability, it can be made secure against dishonest 
PKGs equipped with a decryption oracle 3 . In the following, we nevertheless 
focus on the (arguably more interesting) weak black-box traceability aspect. 

As an extension to the proceedings version of this paper [31], we also show 
how to apply the idea of our weak black-box tracing mechanism to Gentry's 
IBE. The resulting A-IBE system is obtained by bringing a simple modification 
to the key generation protocol of goyaC-i so as to perfectly hide the user's key 
family from the PKG's view while preserving the efficiency of the whole scheme. 
Since the resulting system inherits the efficiency of Gentry's IBE and the goyaC-i 
white-box A-IBE, it turns out to be the most efficient weakly black-box A-IBE 
construction to date. Its (adaptive-ID) security is moreover proved under a tight 
reduction (albeit under a strong assumption). 

Finally, since detecting misbehaving PKGs is an equally relevant problem 
in IBE primitives and their generalizations, we show how the underlying idea 
of previous schemes can be applied to one of the most practical identity-based 
broadcast encryption (IBBE) realizations [10]. We also argue that the same 
technique similarly applies in the context of attribute-based encryption [35, 26]. 

Organization. In the rest of the paper, section 2 recalls the A-IBE security 
model defined in [24]. We first analyze the white-box version of our scheme in 
section 3 and then describe a weak black-box tracing mechanism in section 4. 
Sections 5 and 6 describe and analyze the extensions of our method to Gentry's 
IBE and the Boneh-Hamburg IBBE scheme, respectively. 

2 Background and Definitions 

Syntactic definition and security model. We recall the definition of A- 
IBE schemes and their security properties as defined in [24] . 

Definition 1. An Accountable Authority Identity-Based Encryption scheme 
(A-IBE) is a tuple (Setup, Keygen, Encrypt, Decrypt, Trace) of efficient al- 
gorithms or protocols such that: 

— Setup takes as input a security parameter and outputs a master public key 
mpk and a matching master secret key msk. 

— Keygen' PKG,u ) is an interactive protocol between the public parameter gen- 
erator PKG and the user U: 

• the common input to PKG and U are: the master public key mpk and an 
identity ID for which the decryption key has to be generated; 

■ the private input to PKG is the master secret key msk. 
Both parties may use a sequence of private coin tosses as additional inputs. 
The protocol ends with U receiving a decryption key d\o as his private output. 

— Encrypt takes as input the master public key mpk, an identity ID and a 
message m and outputs a ciphertext. 

3 We believe that the goyaC-i system can also be modified so as to obtain this property. 
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- Decrypt takes as input the master public key mpk, a decryption key d\o and 
a ciphertext C and outputs a message. 

— Trace given the master public key mpk, a decryption key d\u, this algorithm 
outputs a key family number rip or the special symbol _L if d\o is ill-formed. 

Correctness requires that, for any outputs (mpk, msk) of Setup, any plaintext m 
and any identity ID, whenever d\o <— Keygen^ PKG ' msk - l ' U - l (mpk, ID), we have 

Trace(mpk, d\o) 
Decrypt(mpk, d\o, Encrypt(mpk, ID, to)) = to. 

The above definition is for the white-box setting. In a black-box model, Trace 
takes as input an identity ID, the corresponding user's well-formed private key 
d\o and a decryption box D that successfully opens a non-negligible fraction e of 
ciphertexts encrypted under ID. The output of Trace is either "PKG" or "User" 
depending on which party is found guilty for having crafted D. 

Goyal formalized three security properties for A-IBE schemes. The first one 
is the standard notion of privacy [8] for IBE systems. As for the other ones, the 
FindKey game captures the intractability for the PKG to create a decryption 
key of the same family as the one obtained by the user during the key generation 
protocol. Finally, the ComputeNewKey game models the infeasibility for users 
to generate a key d\^ outside the family of the legally obtained one . 

Definition 2. An A-IBE scheme is deemed secure if all probabilistic polynomial 
time (PPT) adversaries have negligible advantage in the following games. 

1. The IND-ID-CCA game. For any PPT algorithm A, the model considers 
the following game, where A G N is a security parameter: 



Game™" ID " CCA (A) 



(mpk, msk) <— Setup(A) 
(mo, mi, ID*, s) <- ,4 Dec > KG (find, mpk) 
Dec : (C,ID) 

— > Decrypt(mpk, msk, ID, C); 
KG : ID — » Keygen^^'-^mpk, ID) 
// ID ^ ID* 
d* 4- {0, 1} 

C* <— Encrypt(mpk, ID*, m^*) 
d^^ Dec ^ KG (guess, s,C*) 

Dec : (C, ID) —4 Decrypt(mpk, msk, ID,C); 

// (C,\D)^(C*,\D*) 
KG : ID — » Keygen^^^^'-^^mpk, ID) 
// ID ^ ID* 
return 1 if d = d* and otherwise. 

A's advantage is measured by Adv^ CA (A) = | Pr[Game5 CA = 1] - 1/2|. 
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The weaker definition of chosen-plaintext security (IND-ID-CPA) is formal- 
ized in the same way in [8] but A is not granted access to a decryption oracle. 

2. The FindKey game. Let A be a PPT algorithm. We consider the following 
game, where A £ N is a security parameter: 



Game^ indKoy (A) 
(mpk, ID, si) <— _4(setup, A) 
(dg\s 2 ) <- Keygen^ Sl )' )(mpk, ID) 

(2) 

d\ D ' <— ^.(findkey, si, s 2 ) 

return 1 if Trace(mpk, = Trace ( m pk, d^) 
otherwise. 

*4's advantage is now defined as Adv^ mdKcy (A) = Pr[Game^ mdKcy = 1]. 

Here, the adversary A acts as a cheating PKG and the challenger emulates the 
honest user. Both parties engage in a key generation protocol where the chal- 
lenger obtains a private key for an identity ID chosen by A. The latter aims at 
producing a private key corresponding to ID and belonging to the same family 
as the key obtained by the challenger in the key generation protocol. Such a 
successful dishonest PKG could disclose user keys without being caught. 

Note that, at the beginning of the experiment, A generates mpk without re- 
vealing the master key msk and the challenger runs a sanity check on mpk. 

As noted in [24], it makes sense to provide A with a decryption oracle that 
undoes ciphertexts using d !D " (and could possibly leak information on the lat- 
ter's family) between steps 2 and 3 of the game. We call this enhanced notion 
FindKey-CCA (as opposed to the weaker one which we call FindKey-CPA). 

(2) 

Finally, in the black-box model, instead of outputting a new key d| D , the 
dishonest PKG comes up with a decryption box D that correctly decrypts ci- 
phertexts intended for I D with non-negligible probability e and wins if the tracing 
algorithm returns "User" when run on d\ ^ and with oracle access to D. 

3. The ComputeNewKey game. For a PPT algorithm A, the model finally 
considers the following game: 



Game^ omputoNowKoy (A) 
(mpk, msk) <— Setup(A) 
(d£l,dg>JD*)^ KG (mpk) 

| KG : ID — » Keygen^^^'^mpk, ID) 
return 1 if Trace ( m pk, d^) t^_L and 

Tracetmpk,^!) £ {_L, Trace(mpk, d£i)} 
otherwise. 

A'S advantage is Adv C°mputcNcwKcy (A) = p r [ Game C°mput E NewKe y = ^ 
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The ComputeNewKey game involves an adversary interacting with a PKG in 
executions of the key generation protocol and obtaining private keys associated 
with distinct identities of her choosing. The adversary is declared successful if, 
for some identity that may have been queried for key generation, she is able to 
find two private keys from distinct families. Such a pair would allow her to trick 
a judge into wrongly believing in a misbehavior of the PKG. 

In the black-box scenario, the output of the dishonest user consist of a key 
c?|p! and a pirate decryption box D that yields the correct answer with prob- 
ability e when provided with a ciphertext encrypted for ID*. In this case, the 
adversary wins if the output of Trace D (mpk,d | ( D ) is "PKG". 

In [14], Canetti, Halevi and Katz suggested relaxed notions of IND-ID-CCA 
and IND-ID-CPA security where the adversary has to choose the target identity 
ID* ahead of time (even before seeing the master public key mpk). This re- 
laxed model, called "selective-ID" model (or IND-sID-CCA and IND-sID-CPA 
for short), can be naturally extended to the ComputeNewKey notion. 

Bilinear Maps and Complexity Assumptions. We use prime order groups 
(G, Gt) endowed with an efficiently computable map e : G x G — > Gt such that: 

1. e(g a , h b ) = e(g, h) ab for any (g, h) G G x G and a, b G Z; 

2. e(g, h) ^ 1g t whenever g,h ^ la- 
in such bilinear groups, we assume the hardness of the (now classical) Decision 
Bilinear Diffie-Hellman problem that has been widely used in the recent years. 

Definition 3. Let (G, Gt) be bilinear groups of prime order p and g G G. The 
Decision Bilinear Diffie-Hellman Problem (DBDH) is to distinguish the 
distributions of tuples (g a ,g b ,g c ,e(g,g) abc ) and (g a ,g b ,g c ,e(g,g) z ) for random 
values a, b,c,z^-Z*. The advantage of a distinguisher B is measured by 

Adv^ H (A) = |Pr[a,6,c^Z; : B(g a , g b , g c , e{g, g) abc ) = 1] 

- Pr[a, 6, c, z A Z* : B{g\ g b , g c , e(g, g) z ) = 1] | . 

For convenience, we use an equivalent formulation - called modified DBDH - of 
the problem which is to distinguish e(g,g) ab ^ c from random given (g a ,g b ,g c )- 

3 The Basic Scheme 

The scheme mixes ideas from the "commutative-blinding" [5] and "exponent- 
inversion" [36] frameworks. Private keys have the same shape as in commutative- 
blinding-based schemes [5,6,41,13]. At the same time, their first element is a 
product of two terms, the first one of which is inspired from Gentry's IBE [21]. 

According to a technique applied in [24] , private keys contain a family num- 
ber t that cannot be tampered with while remaining hidden from the PKG. This 
family number t is determined by combining two random values to and t\ re- 
spectively chosen by the user and the PKG in the key generation protocol. The 
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latter begins with the user sending a commitment R to to- Upon receiving R, the 
PKG turns it into a commitment to to + ti and uses the modified commitment 
to generate a "blinded" private key d\ D . The user obtains his final key d\c by 
"unblinding" d[ D thanks to the randomness that was used to compute R. 

A difference with goyaC-i is that the key family number is perfectly hid- 
den to the PKG and the FindKey-CPA security is unconditional. In the key 
generation protocol, the user's first message is a perfectly hiding commitment 
that comes along with a witness-indistinguishable (WI) proof of knowledge of its 
opening. In goyat-i, users rather send a deterministic (and thus non-statistically 
hiding) commitment and knowledge of the underlying value must be proven in 
zero-knowledge because a proof of knowledge of a discrete logarithm must be 
simulated (by rewinding the adversary) in the proof of FindKey-CPA security. 
In the present scheme, the latter does not rely on a specific assumption and we 
do not need to simulate knowing the solution of a particular problem instance. 
Therefore, we can dispense with perfectly ZK proofs and settle for a more effi- 
cient 3-move WI proof (such as Okamoto's variant [33] of Schnorr [38]) whereas 
4 rounds are needed using zero-knowledge proofs of knowledge. 

3.1 Description 

Setup: given A G N, the PKG selects bilinear groups (G, Gt) of prime order 
p > 2 A with a random generator g 4- G. It chooses h, Y, Z 4- G and iAzj 
at random. It defines its master key as msk := x and the master public key 
is chosen as mpk := (X = g x , Y, Z, h). 

Keygen( PKG ' U ) : to obtain a private key for his identity ID, a user U interacts 
with the PKG in the following key generation protocol. 

1. The user U draws t ,0 4- Z*, provides the PKG with a commitment 
R = h to ■ X and also gives an interactive witness indistinguishable proof 
of knowledge of the pair (to, 9), which he retains for later use. 

2. The PKG outputs _L if the proof of knowledge fails to verify. Otherwise, 
it picks r',ti 4- Z* and returns 

d\ D = (d' 1 ,d' 2 ,d' 3 ) = ( y (Y-R-h t ^ x -(g ,D -ZY', X r ' , h). (1) 

3. U picks r" 4- Z; and computes d\ D = (d[/g e -(g iD ■ Z) r " , d' r X r " , d' 3 +t ) 
which should equal 

di D - (di,d 2 ,d 3 ) = ((y • h^) 1 /* ■ ( g iD ■ zy, X r , to + tx) (2) 

where r = r' + r" . Then, U checks whether d\o satisfies the relation 

e(d u X) = e(Y,g) ■ e(h,g) d * ■ e(g m ■ Z,d 2 ). (3) 

If so, he sets his private key as d\o and the latter belongs to the family of 
decryption keys identified by uf = d 3 = to +t\. He outputs _L otherwise. 
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Encrypt: to encrypt m £ Gt given mpk and ID, choose s <— Z* and compute 

C= (Ci,C2,C3,C 4 ) = (X s , (g iD -Z) s , e(g,h) s , m-e(g,Y) s )- 

Decrypt: given C — (Ci, C2, C3, C4) and dio = (^1,^2,^3), compute 

/ e(Ci,di) X" 1 
to = C4 • 3- (4) 

Trace: given a purported private key d\o = (di, <i 2 , fifa) and an identity ID, check 
the validity of g?id w.r.t. ID using relation (3). If valid, d\o is declared as a 
member of the family identified by np = d 3 . 

The correctness of the scheme follows from the fact that well-formed private keys 
always satisfy relation (3). By raising both members of (3) to the power s € Z*, 
we see that the quotient of pairings in (11) actually equals e(g, Y) s . 

The scheme features about the same efficiency as classical IBE schemes de- 
rived from the commutative-blinding framework [5]. Encryption demands no 
pairing calculation since e(g,h) and e(g,Y) can both be cached as part of the 
system parameters. Decryption requires to compute a quotient of two pairings 
which is significantly faster than two independent pairing evaluations when op- 
timized in the same way as modular multi-exponentiations. 

In comparison with the most efficient standard model scheme based on the 
same assumption (which is currently the first scheme of [5]), the only overhead 
is a slightly longer ciphertext and an extra exponentiation in Gt at both ends. 

3.2 Security 

Selective-ID Security. We first prove the IND-sID-CPA security under the 
modified DBDH assumption (mDBDH). 

Theorem 1. The scheme is IND-sID-CPA under the mDBDH assumption. 

Proof. We show how a simulator B can interact with a selective-ID adversary 
A to solve a mDBDH instance (T a = g a ,T b = g b ,T c = g c ,T = e(g,g) ab / c ). At 
the outset of the game, A announces the target identity ID*. To prepare mpk, B 
chooses a, 7, t* 4- Z* and sets X = T c = g c , h = T b = g b , Y = X 1 ■ h' e , and 
Z = ,g~ ID * • X a . The adversary's view is simulated as follows. 

Queries: at any time, A may trigger an execution of the key generation protocol 
for an identity ID 7^ ID* of her choosing. She then supplies an element 
R = h to ■ X 6 along with a WI proof of knowledge of (to, 0). The simulator B 
verifies the proof but does not need to rewind the adversary as it can answer 
the query without knowing (to, &)■ To do so, it picks t\ ^- Z* at random and 
defines W = Y ■ R ■ h* 1 , d' 3 — t\. Elements d[ and d' 2 are generated as 

(4,4) = ((.g ID -zy' ■ w-^^, x r '-w-^^j (5) 
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using a random r' 4- Z*. If we set f' = r'— c( ^ |D ^ |D ^ , where u> = \og g (W), 
we observe that d! 2 ) has the correct distribution since 

W 1/c ■ ( 5 ID • Zf = W 1/c • (g ID " ID * • X a f 

= W 1/c ■ (g ID ~ ID * • X a ) r ' ■ (ff' D ~' D *)~ e( |p - |D *> • x~ c ( |D -° D *> 
= (,g ID • Z) r ' • VF~"^ 

and X f ' = X r ' ■ (g c )~ c(id-id*) = x r ' • VF - * 5 ^. Finally, the "partial private 
key" (cZj,^;^) is returned to .4. Note that the above calculation can be 
carried out without knowing w = log g (W) or the representation (t , 9) of R 
w.r.t. to (h,X) and B does not need to rewind A. 
Challenge: when the first stage is over, A outputs to , mi 6 Gt- At this point, 
B picks r* 4- Z* and defines a private key (di,d 2 , d^) = (g 7 • X Qr *, X r *, i*) 
for the identity ID*. It flips a fair coin d* <^ {0, 1} and encrypts m^* as 

c{=T a = g a n r : : v r; m,, ((r .'-' / -'» 



e(Q,d 2 )-C 3 ^ 

We see that (d 1 ,d 2l d 3 ) is a valid key for ID*. Since 5 ID * • Z = X Q = T c a 
and h = g b , C* = (C* , C* , C3 , C4) is a valid encryption of m^* (with the 
exponent s = a/c) if T = e(g,g) ab ^ c . If T is random, we have T = e(g, h) s 
for some random s' £ Z* and thus C% — nid* ■ e(Y, g) s ■ e(g, h)( s ~ s )' , which 
means that nid* is perfectly hidden since t* is independent of A's view. 

As usual, ^ outputs 1 (meaning that T — e(g,g) ab ^ c ) if A successfully guesses 
d! = d* and otherwise. □ 

In the above proof, the simulator does not rewind the adversary at any time. 
The scheme thus remains IND-sID-CPA in concurrent environments, where a 
batch of users may want to simultaneously run the key generation protocol. 

Also, the simulator knows a valid private key for each identity. This allows 
using hash proof systems [18,19] as in [21,29] to secure the scheme against 
chosen-ciphertext attacks. The advantage of this approach, as shown in appen- 
dices A and C, is to provide FindKey-CCA security in a white-box setting. 

Unlike the Qoyat-i scheme, the basic system provides unconditional FindKey- 
CPA security: after an execution of the key generation protocol, even an all pow- 
erful PKG does not have any information on the component d% that is eventually 
part of the private key obtained by the new user. 

Theorem 2. In the information theoretic sense, no adversary has an advantage 
in the FindKey-CPA game. 

Proof. The proof directly follows from the perfect hiding property of Pedersen's 
commitment [34] and the perfect witness indistinguishability of the protocol [33] 
for proving knowledge of a discrete logarithm representation. Since the commit- 
ment R — h to - X e and the proof of knowledge of (to, 0) perfectly hide to to the 
PKG, all elements of Z* are equally likely values of c? 3 = to + 1\ as for the last 
part of the user's eventual private key. □ 
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The original version of the paper [31] describes a hybrid variant of the scheme 
that provides white-box FindKey-CCA security using authenticated symmetric 
encryption in the fashion of [30, 40, 27] so as to reject all invalid ciphertexts 
with high probability. In this version, we only consider schemes with the weak 
black-box traceability property. 

Theorem 3. In the selective-ID ComputeNewKey game, any PPT adversary 
has negligible advantage assuming that the Diffie-Hellman assumption holds. 

Proof. For simplicity, we prove the result using an equivalent formulation of the 
Difhe-Hcllman problem which is to find h x / x given (g, h, X — g x ). 

At the outset of the game, A declares the identity I D* for which she aims at 
finding two private keys a$*, d^l comprising distinct values of d 3 = t. Then, 
the simulator B prepares the PKG's public key as follows. Elements h and X 
are taken from the modified Diffie-Hellman instance (g, h, X). As in the proof of 
theorem 1, B defines Z = g~ lD ■ X a for a randomly chosen a <— Z*. To define 
Y, it chooses random values 7, t[ 4- Z* and sets Y = A 7 • ft, - * 1 . 

Queries: in this game, A is allowed to query executions of the key generation 
protocol w.r.t. any identity, including ID*. The only requirement is that 
queried identities be distinct. 

- For an identity ID ^ ID*, B can proceed exactly as suggested by relation 
(5) in the proof of theorem 1 and does not need to rewind A. 

- When ID = ID*, B conducts the following steps. When A supplies a 
group element R = h to ■ X 6 along with a WI proof of knowledge of 
(to , 0) , B uses the knowledge extractor of the proof of knowledge that 
allows extracting a representation (to, 6) of R by rewinding A. Next, B 
computes t\ = t\ — to picks r 4- Z* and returns 

(d' 1 ,d , 2 ,d' 3 ) = (gi+ e -(g iD * -ZY, X r , t x ). (6) 

To see that the above tuple has the appropriate shape, we note that 

(Y ■ R ■ h^fl x = (Y ■ h to+tl ■ X 6 fl x = (Y ■ • X 6 ) 1 ^ = g^ +e . 

Output: upon its termination, A is expected to come up with distinct valid 
private keys d\^l — (d^ , d^\ d 3 V ' ') and d[pl = (d^ , d!£\ d^ ) , such that 
t = d^p 7^ S-p = t', for the identity ID*. Given that we must have 

d{ 1] = (Y ■ h*) 1 ^ ■ X ar d ( ^=X r 
df ] = (Y-h 1 ') 1 ^ ■ X ar ' d { ^=X r ' 

1/ / d (1) /d (1)a \ T^F 

for some values r, r € Z p , B can extract h 1 x = I \ 2) ' f 2)a J . □ 
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We note that, in the above proof, the simulator does not have to rewind all 
executions of the key generation protocol but only one, when the adversary asks 
for a private key corresponding to the target identity ID* (recall that all queries 
involve distinct identities). Given that the number of rewinds is constant, the 
proof still goes through when the simulator is presented with many concurrent 
key generation queries. If other executions of the protocol (that necessarily in- 
volve identities ID ^ ID*) are nested within the one being rewinded when dealing 
with ID*, the simulator simply runs them as an honest verifier would in the proof 
of knowledge and calculates the PKG's output as per relation (5) in the proof 
of theorem 1. Thus, the initial rewind does not trigger any other one and the 
simulation still takes polynomial time in a concurrent setting. 

Adaptive-ID Security. The scheme can obviously be made IND-ID-CPA if 
Waters' "hash function" F(ID) = u' ]J" =1 u- 3 - where ID = i x . . . i n G {0, l} n and 
(u',u\, . . . ,u n ) 6 is part of mpk - supersedes the Bonch-Boyen identity 

hashing -F(ID) = <? ID • Z. The number theoretic hash function F is chosen so 
as to equal F(ID) = gr-M ID ) • X j2(m ^ for integer-valued functions Ji, J 2 that are 
computable by the simulator. The security proof relies on the fact that J\ is 
small in absolute value and cancels with non-negligible probability proportional 
to l/q(n + 1), where q is the number of key generation queries. 

When extending the proof of theorem 3 to the adaptive setting, an adversary 
with advantage e allows solving CDH with probability e/8q 2 (n + 1). The reason 
is that the simulator has to guess beforehand which key generation query will 
involve the target identity ID*. If ID* is expected to appear in the j th query, 
when the latter is made, B rewinds A to extract (to, 8) and uses the special 
value t\ to answer the query as per (6). With probability 1/q, B is fortunate 
when choosing j <— {1, . . . , q} at the beginning and, again, Ji(ID*) happens to 
cancel with probability l/8q(n + 1) for the target identity. 

4 Weak Black-Box Traceability 

Theorem 3 showed the infeasibility for users to compute another key from a 
different family given their private key In these regards, a decryption key im- 
plements a "1-copyrighted function" - in the terminology of [32, 28] - for the 
matching identity. Using this property and the perfect white-box FindKey-CPA 
security, we describe a black-box tracing mechanism that protects the user from 
a dishonest PKG as long as the latter is withheld access to a decryption oracle. 

The tracing strategy is close to the one used by Kiayias and Yung [28] in 
2-user traitor tracing schemes, where the tracer determines which one out of two 
subscribers produced a pirate decoder. In our setting, one rather has to decide 
whether an e-useful decryption device stems from the PKG or the user himself. 

Trace D (mpk, d\ D} e): given a well-formed private key d\o — (di,d 27 d 3 ) belonging 
to a user of identity ID and oracle access to a decoder ID that decrypts 
ciphertexts encrypted for ID with probability e, conduct the following steps, 
a. Initialize a counter ctr <— and repeat the next steps L = lQX/e times: 
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1. Choose distinct exponents s, s' ^- Z* at random, compute C\ = X s , 
C 2 = (g iD -Z)> and C 3 = e(g,h) s '. 

2. Calculate C4 = m ■ e(C\, di)/(e(C 2 , d 2 ) ■ C3 3 ) for a randomly chosen 
message m e G-t- 

3. Feed the decryption device D with [C\, C2, C3, C4). If B> outputs 
m' S Gt such that m' = m, increment ctr. 

b. If ctr = 0, incriminate the PKG. Otherwise, incriminate the user. 

The soundness of this algorithm is proved using a similar technique to [1]. To 
ensure the independence of iterations, we assume (as in [1]) that pirate devices 
are stateless, or resettable, and do not retain information from prior queries: 
each decryption query is answered as if it were the first one and, in particular, 
the pirate device cannot self-destruct. 

Theorem 4. Under the mDBDH assumption, dishonest users have negligible 
chance to produce a decryption device E) that makes the tracing algorithm in- 
criminate the PKG in the selective-ID ComputeNewKey game. 

Proof. The tracing algorithm points to the PKG if it ends up with ctr = 0. The 
variable ctr can be seen as the sum of L — 16A/e independent random variables 
Xi G {0,1} having the same expected value p\. We have fi = E[ctr] = Lp\. 
The Chernoff bound tells us that, for any real number ui such that < u> < 1, 
Pr[cir < (1 — < exp(— /xw 2 /2). Under the mDBDH assumption, we certainly 
have Adv mDBDH (A) < e/2 (since e/2 is presumably non- negligible). Lemma 1 
shows that pi > e — Adv mD DH (A), which implies 

fi = L Pl > L(e - Adv mDBDH (A)) > ^ = 8A. (7) 

With w = 1/2, the Chernoff bound guarantees that 

Yr[ctr < 1] < Pr[ctr < 4A] = Pr[ctr < /j,/2] < exp(-/x/8) = cxp(-A). 

□ 

Lemma 1. In the selective-ID ComputeNewKey game, i/D correctly opens well- 
formed ciphertexts with probability e, the probability that an iteration of the trac- 
ing algorithm increases ctr is at least pi > e — Adv mDBDH (A). 

Proof. We consider two games called Cameo and Gamei where the adversary A 
is faced with a ComputeNewKey challenger B and produces a decryption device 
D which is provided with ciphertexts during a tracing stage. In Gameo, B is 
given a properly formed encryption of some plaintext m whereas it is given a 
ciphertext C where C3 has been changed in Gamei. In either case, we call pi 
(with i G {0, 1}) the probability that B> returns the plaintext m chosen by B. 

In the beginning of Gameo, A chooses a target identity ID* and B defines the 
system parameters as X = g c , h = g b , Y = X 1 ■ h~ l and Z = g~ m ■ X a for 
random a, 7,t* Z* Then, A starts making key generation queries that are 
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treated using the same technique as in the proof of theorem 3. Again, B only 
has to rewind the WI proof when the query pertains to ID*. 

At the end of the game, A outputs a decryption box ID that correctly decrypts 
a fraction e of ciphertexts. Then, B constructs a ciphertext C as 

C,=g\ C 2 = (gT, C 3 =T, C 4 = m- '^f^* 

e(C 2 ,d 2 ) ■ CI 

where T e Gr- 
in Gamc , B sets T — e(g 1 g) ab / c so that we have C 3 = e{g,h) a l c and C 
is a valid ciphertext (for the encryption exponent s = a/c) that D correctly 
decrypts with probability e. In this case, ID thus outputs m' = m 6 Gt with 
probability po = e. In Gamei, T is chosen as a random element of Gt and 
C = (Ci, C 2 , C3, C4) has the distribution of a ciphertext produced by the tracing 
stage and ID must output a plaintext m! — m with probability p\ . It is clear that 
bo - Pi I < Adv mDBDH (A) and we thus have Pl > e - Adv mDBDH (A). □ 

The proofs of theorem 4 and lemma 1 extend to the adaptive-ID setting using 
the same arguments as in the last paragraph of section 3. As mentioned in the 
remark at the end of section 3.2 in section 3, proving adaptive-ID white-box secu- 
rity against dishonest users incurs a quadratic degradation factor in the number 
of adversarial queries. When transposing the proof of lemma 1 to the adaptive- 
ID model, we are faced with the same quadratic degradation in q and the bound 
on pi becomes pi > e — 8 • q 2 (n + 1 ) • Adv mDBDH ( A) . The proof of theorem 4 goes 
through as long as s > 16 • q 2 ■ (n + 1) ■ Adv mDBDH (A) (so that Pl > e/2). Since 
q is polynomial, this is asymptotically the case since q 2 ■ (n + 1) • Adv mDBDH (A) 
remains negligible under the mDBDH assumption. 

The system turns out to be the first scheme that is amenable for weak black- 
box traceability against dishonest users in the adaptive-ID sense. Due to their 
reliance on attribute-based encryption techniques (for which only selective-ID 
adversaries were dealt with so far), earlier (weak) black-box A-IBE proposals 
[24, 25] are only known to provide selective-ID security against dishonest users. 

As for the security against dishonest PKGs, we observed that, in the FindKcy- 
CPA game, the last part = t of the user's private key is perfectly hidden 
to the malicious PKG after the key generation protocol. Then, a pirate decoder 
D made by the PKG has negligible chance of decrypting ciphertexts where C3 
is random in the same way as the user would. When the user comes across D 
and takes it to the court, the latter runs the tracing algorithm using D and the 
user's well- formed key = (d^\ d^, d^) for which d^ is independent of ED. 

Lemma 2. In the FindKey-CPA game, one iteration of the tracing algorithm 
increases ctr with probability at most 1/p. 

Proof. In an iteration of the tracing stage, ID is given C = (C\, C 2 , C3, C4) such 
that d = X s , C 2 = (, 9 ID • Z)\ C 3 = e(g, h) s ' and C 4 - m ■ e{g, Y) s ■ e(g, h)^')' 
for distinct s, s' 4- Z*. Since ID has no information on d^ = t, for any plaintext 

m e Gt, there is a value d^ that explains C4 and it comes that ID returns the 
one chosen by the tracer with probability 1/p. □ 
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We note that a pirate device D generated by the dishonest PKG is able to 
recognize invalid ciphertexts in the tracing stage (as it may contain the master 
secret x). However, as long as D is assumed stateless, it cannot shutdown or 
self-destruct when detecting a tracing attempt. Moreover, with all but negligible 
probability, it will never be able to decrypt such invalid ciphertexts in the same 
way as the owner of would. 

Theorem 5. In the black-box FindKey-CPA game, a dishonest PKG has negli- 
gible advantage. 

Proof. The dishonest PKG is not detected if it outputs a decryption box for 
which the tracing ends with a non-zero value of ctr. From lemma 2, it easily 
comes that Pr[ctr ^ 0] = Pr[ctr > 1] < L/p = 16A/(ep) < 16A/(2 A e). □ 

To secure the scheme against chosen-ciphertext attacks and preserve the weak 
black-box property, we can use the Canetti-Halevi-Katz [15] technique or its 
optimizations [11, 12] that do not affect the tracing algorithm. 

5 Extension to Gentry's IBE 

In this section, we show how to apply the weak black-box tracing mechanism of 
section 4 to Gentry's IBE. The resulting A-IBE system is obtained by bringing a 
simple modification to the key generation protocol of Goyal's first scheme [24] so 
as to perfectly hide the user's key family from the PKG's view while preserving 
the efficiency of the whole scheme. 

The advantage of this scheme is to directly provide adaptive-ID security 
against dishonest users and under reductions that are are just as tight as in 
Gentry's system. This benefit comes at the expense of sacrificing the concurrent 
security of the key generation protocol (as security proofs require to rewind at 
each key generation query) and relying on a somewhat strong assumption. 

Definition 4 ([21]). In bilinear groups (G, Gt), the q-Decision Augmented 
Bilinear Diffie-Hellman Exponent Problem (q-ADBDHE) is to distinguish 
the distribution (jj, g a , . . . , g^ aq \ h, ft/"' \ e(g, /i)( q5+ )) from the distribution 
((/, g a , . . . , g^ a "\ h, h( aq+ \e(g,h)^) , where a,f3 4- Z* and /i 4- G*. The ad- 
vantage Advg g^ BDHE (A) of a distinguisher B is defined as in definition 5 

In the description hereafter, the encryption and decryption algorithms are 
exactly as in [21]. Since the key generation protocol perfectly conceals the user's 
key family, we can apply the same weak black-box tracing mechanism as in 
section 4. The resulting system turns out to be the most efficient adaptive-ID 
secure weakly black-box A-IBE to date. 

Setup: given a security parameter A 6 N, the PKG chooses bilinear groups 
(G, Gt) of order p > 2 A with a generator g A G. It picks h,g 4- G and 
a A Z* at random. It defines the master key as msk :— a and the master 
public key is defined to be mpk := (g, gi = g a , h). 
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Keygen( PKG ' U ) : the user U and the PKG interact in the following protocol. 

1. U picks to, 9 4- Z* and sends a commitment R = g~ to ■ (gi ■ g~ lD ) e to 
the PKG. He also gives an interactive witness indistinguishable proof of 
knowledge of the pair (to , 9) . 

2. The PKG outputs _L if the proof of knowledge is invalid. Otherwise, it 
picks ti 4- Z* and returns 

d\u = (d', t[ D ) = ((h-R- ff -* 1 )V(«-iD) 5 ^ . (8) 

3. U computes d\o — (d' /g 6 , t[ D + to) which should equal 

d| D = (d,t iD )= ({h ■ g-^ +t ^ a - ,D \ to + h). (9) 

Then, U checks whether d\o satisfies the relation 

e(d,g 1 -g- tD )=e(h,g)-e(g,g)- t '°. (10) 

If so, he sets his private key as dio, which belongs to the key family 
identified by np = t\o =to+t\. He outputs _L otherwise. 

Encrypt: to encrypt m G Gt given mpk and ID, choose s 4- Z* and compute 

C=(C 1 ,C 2 ,C 3 ) = ((.g 1 -. 9 - |D ) S , e{g,g) s , m-e{g,h) s ). 
Decrypt: given C — {C\,C2,Cz) and d\ D = (d,t\o), compute 

m = C 3 -(e(C 1 ,d)-C t ^y 1 

Trace D (mpk, d\o,s): given a valid private key d\o = (d, t\o) belonging to user ID 
and a e-uscful pirate decoder B, conduct the following steps. 

a. Set ctr and repeat the next steps L = 16A/e times: 

1. Choose s,s' 4- Z* such that s ^ s' and set C\ — (g\ ■ ,g _ID ) s and 
C 2 = e(g,h) s '. 

2. Compute C3 = m ■ e(Ci, d) ■ C^ for a random message m G Gt- 

3. Feed the decryption device D with (Ci , C2, C3). If D outputs m' G Gt 
such that m' = to, increment ctr. 

b. If ctr = 0, incriminate the PKG. Otherwise, incriminate the user. 

The IND-ID-CPA security of the scheme can be simply reduced to that of 
Gentry's IBE as shown in the proof of the next theorem. 

Theorem 6. Any IND-ID-CPA adversary against the above A-IBE implies an 
IND-ID-CPA attacker against Gentry's IBE. 
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Proof. Let us assume an IND-ID-CPA adversary A in the game described by 
definition 2. We show that A gives rise to an IND-ID-CPA adversary B against 
Gentry's IBE. 

Our adversary B receives a master public key mpk = (g, gi,h) from her chal- 
lenger. When A makes a key generation request for an identity \D, B queries her 
own challenger to extract a private key d\ D = (d,t\ D ) = ((ft, • .g - * 10 ) 1 ^" -10 * 1 , £id) 
and starts executing the key generation protocol with in interaction with A. The 
latter first supplies a commitment R — g~ ta ■ (g\ ■ g~ ID ) e and an interactive WI 
proof of knowledge of the pair (to, 9). Using the knowledge extractor of the proof 
of knowledge, B extracts (to, 6) by rewinding A and returns d\o = (d 1 , t[ D ), where 
t\o = Ud - h and d' = d\ D ■ g e . 

In the challenge phase, A chooses a target identity ID* and messages (mo, mi), 
which B forwards to her own challenger. The latter provides B with a challenge 
ciphcrtcxt (Ci, 62,63) which is relayed to A. After a second series of key gen- 
eration queries, A outputs a bit d G {0, 1}, which is also £>'s output. It is easy 
to see that, if A is successful, so is B. □ 

We now turn to prove the weak black-box traceability property. 

Lemma 3. In the Adaptive-ID ComputeNewKey game and for a e-useful device 
D, the probability that an iteration of the tracing algorithm increases ctr is at 
least pi > £-Advgg° BDHE (A), where q is the number of key generation queries. 

Proof. The proof is very similar to the proof of IND-ID-CPA security in [21]. 
For the sake of contradiction, let us assume that, in an iteration of the tracing 
procedure, the probability p\ that D returns the message chosen by the tracer 
is significantly smaller than e. Then, we can construct a distinguishcr B for the 
g-ADBDHE assumption. 

The distinguisher B takes as input a tuple (g, g a , ... , g^ a \ h, h^ a " ' , T) and 
aims at deciding if T = e(g, h)( a \ It generates the master public key in such 
a way that h — g^ a \ for some random polynomial f(X) G 1 V \X\ of degree q. 
At each key generation query, B first computes a valid private key d\o = (d, t\o) 
for the identity ID, by setting t\o — /(ID) as in the proof of theorem 1 in 
[21]. Then, in the interactive key generation protocol, A sends a commitment 
R = g~ ta ■ (gi ■ .g~ ID ) 8 and proves knowledge of the pair (to, 0), which B extracts 
by rewinding A as in the proof of theorem 6. As in the latter, B replies with a 
well-distributed pair d[ D — (d 1 , t\ D ), where t[ D = t\o — to and d! = d ■ g e . 

The game ends with A outputting an identity ID*, a private key d\o* = 
(d* ,t* D *) and a e- useful device. In the tracing stage, B first expands the monic 
polynomial F(X) = (X«+ 2 -\D* q+2 )/(X -ID*) = X^ 1 +F q X ( ' + ■ ■ ■ + F 1 X + F Q . 
Then, B chooses a plaintext m G T and computes C = (C\, C 2 , C 3 ) as 

C ^yf^) C 2 =T-e(h,f[(g^)) C 3 =m-e(C 1 ,d*)-Cf D \ 

If D returns the correct plaintext m, the distinguishcr B halts and return 1. As 
in [21], (Ci,C2,Cz) is a well-formed ciphertext with the encryption exponent 
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s = \og g (h)F(a) if T = e(g, h)( a9+1 \ In this case, B returns 1 with probability 
e since D is a e-useful device. By assumption, the probability that B returns 1 
when T is random is significantly smaller than e. Therefore, B has non-negligible 
advantage as a distinguishcr against the q-ADBDHE assumption. □ 

Theorem 7. In the adaptive-ID ComputeNewKey game, any PPT adversary 
has negligible advantage assuming that the ADBDHE assumption holds. 

Proof. The proof is completely analogous to that of theorem 4. □ 

The weak black-box security against dishonest PKGs follows from the informa- 
tion theoretic secrecy of the user's private key element t\u upon termination of 
the key generation protocol. 

Theorem 8. In the information theoretic sense, no adversary has an advantage 
in the FindKey-CPA game. 

To secure the scheme against chosen-ciphertext attacks, we cannot use hash 
proof systems as suggested in [21, 29]. This technique would indeed cause the de- 
cryption algorithm to reject all invalid ciphertexts with high probability, which 
would not be compatible with our weak black-box tracing mechanism. 

Fortunately, CCA2-security can be acquired by applying the Canetti-Halevi- 
Katz transformation to a two-receiver variant of the Gentry- Waters identity- 
based broadcast encryption (IBBE) scheme [22]: one of the two receivers' identi- 
ties is set to be the verification key of a strongly unforgeable one-time signature 
and the matching private key is used to sign the whole ciphcrtext. 

Our tracing algorithm can be combined with the latter approach since, in 
the Gentry- Waters IBBE [22], private keys have the same shape as in Gentry's 
IBE and one of the ciphertext components lives in the group Gt- As already 
mentioned, the CHK technique does not affect traceability as, upon decryption, 
ill-formed ciphertexts only get rejected when the one-time signature verification 
fails. The computational/bandwidth cost of the resulting system exceeds that of 
the above A-IBE construction only by a small factor. 

6 Extension to Identity-Based Broadcast Encryption 

As already stressed in [24, 25] , reducing the required amount of trust in PKGs 
is an equally important problem in IBE schemes and their extensions such as 
attributed-based encryption or identity-based broadcast encryption (IBBE). 

In this section, we thus show how the underlying idea of previous schemes 
can be applied to one of the most efficient IBBE realizations to date. 

6.1 The Boneh-Hamburg IBBE 

An identity-based broadcast encryption scheme, as formalized in [2], can be 
seen as an IBE where ciphertexts can be decrypted by more than one receiver. 
Syntactically, it consists of four algorithms: 
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— Setup: given a security parameter and a bound N on the number of receivers 
per ciphertext, this algorithm outputs a master key pair (mpk, msk). 

— KeyGen: is used by the PKG to derive a private key K\d for an identity ID. 

— Encrypt: takes as input a plaintext to, a master public key mpk and a 
set S = {IDi, . . . , ID„} of receivers' identities, where n < N. It outputs a 
ciphertext C . 

— Decrypt: takes as input the master public key mpk, a ciphertext C, a set 
of receivers S — {IDi, . . . , ID„} and a private key <iiD corresponding to some 
identity ID G S. It outputs a plaintext morl. 

In [10], Boneh and Hamburg showed how to turn the Boneh-Boyen-Goh hi- 
erarchical IBE [7] into an efficient IBBE system with constant-size ciphertexts 
and linear-size private keys in the bound N on the number of receivers per ci- 
phertext. Their construction was shown to derive from a more general primitive 
termed "spatial encryption" . Its security (in the selective-ID sense) was estab- 
lished under the following assumption introduced in [7]. 

Definition 5. Let (G, Gt) be bilinear groups of order p and g G G. The i- 
Decision Bilinear Diffie-Hellman Exponent (l-DBDHE) problem is, given 

(g,g a , g (a2) , ■ ■ • , g {al \ g {al+2 \ g (a2e \ h, T) e & 2£+1 x G T for random a 4- z; 

and ft 4- G, to decide whether T = e(g, h)^'^. The advantage Adv^ DHE (A) 
of a distinguisher B is defined in the usual way. 

In the following, we use the same notations as in [10] and, for any vector 
a = (ao,...,a N ) G Z^ +1 , g a stands for the vector {g a ° , . . . ,g aN ) G G N+1 . 
The description of the Bonch-Hamburg IBBE scheme is as follows. 

Setup(A,iV): given a security parameter A G N an the maximal number of 
receivers N G N per ciphertext, choose bilinear groups (G, Gt) of prime 
order p > 2 A and a generator g <— G. Choose z 4- G as well a (N + l)-vector 
h = (ft , hi, ... , h N ) 4- G Ar+1 of random generators so that ftj = g ai for 
i = 0, . . . , N with a randomly chosen a = (a , . . . , a^) 4- Z^ +1 . Finally, 

pick a ^- Z*, gi 4- G and compute g\ = g a . The master public key is 
mpk = (g, gi = g a , g2, z, h = g & ) while the master secret key is msk = (a, a). 

Keygen(msk, ID): to generate a private key for an identity ID, choose a random 
r 4- Z* and compute 

K\u = (Ki, K 2 , T , . . . , Tjv-i) 

fa r r ir i — ID-r 7 r j — ID-r jr 7 — ID-r\ 

= (32 • z . g . h i ■ K > h 2 ■ h i , • • • , ftjv • frjV-l j 

for which the "delegation component" (To, . . . , Tjv-i) G can be expressed 
as <? r ' M i' a , for some matrix Mi G Zp JV+1 ' )><Ar , which will be defined below. 

Encrypt(mpk, 5, to): to encrypt to G Gt for the receiver set S — { I Di , . . . , ID„}, 
where n < N, 
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1. Expand the polynomial 



P(X) = ~[[(X - IDO - Pn X n + Pn-iX' 1 - 1 + --- + Pl X + p Q . (11) 

2. Pick s 4- Z* and compute 

C=(Co,d,C 2 ) = (m-e( ffl)52 ) fl , <? s , (z • hg° • /if • • • /#•)') . 

Decrypt(mpk, if|D, C, 5): parse S as {IDi, . . . , ID„}, C as (Co, Ci, C2) and Xid 

as 

JfiD = (#1, #2, T , ... , TV-i) e G JV+2 . 
1. Expand the polynomial 

ID.,GS\{ID} 



and use its coefficients to compute 



(ID) (ID) (ID) 

(Ad, d, D ) = (#i • To" • ?i 1 ■ ■ ■ T v n -\ K 2 ) 
= (g%-{z-h$>-h?-h£)\ g r ) 



(12) 
(13) 



where po, ■ ■ ■ ,p n are the coefficients of P(X) (calculated as per (11)). 
2. Recover the plaintext as 



m = C • e(Ci,D\ D ) 1 ■ e(C 2 , d\ D ). 



(14) 



To see why step 1 of the decryption algorithm works, one observes that, for any 
polynomials (X-\D) and P m (X) = y^°\x n - 1 +y^\x n - 2 + - ■ ■ + y^ D) X + y^ D \ 

the coefficients of P{X) = (X - \D)P\ D (X) = p n X n H h p\X + p a are given 
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for each private key K\d, the first n delegation components satisfy 

(T , . . . ,r n _!) - (hi ■ v ID "\ K ■ h^°- r , h r n - h-^) = 9 rM *-*. 

Therefore, since p = M\ • y, we have 

(z ■ f[ h p k k Y = z r ■ g r pt a = z r ■ g^-Mt-* = z r ■ T^ D) ■ ■ ■ T^ll 1 

fe=0 

which explains the transition between relations (12) and (13). To explain the 
second step of the decryption algorithm, we note that, for each ID G S, the pair 
(D\ D , d\o) satisfies 

e(D ]D ,g) = e(g u g 2 ) ■ e(z ■ h p ° ■ h pi ■ ■ ■ bfrAo) (15) 

By raising both members of (15) to the power s £ Z*, where s is the random 
encryption exponent, we see why m can be recovered as per (14). 

The security of this scheme was proved [10] under the (N + 1)-DBDHE 
assumption in the selective- ID model. In the context of IBBE schemes, the IND- 
sID-CPA model was formalized in [2]. It requires the adversary to choose upfront 
(i.e., before seeing mpk) the set S* = {ID^, . . . , ID**} of identities under which 
the challenge ciphertext C* will be generated. The adversary is then allowed to 
query private keys for identities I Dj S* and eventually aims at guessing which 
one out of two messages of her choice was encrypted in the generation of C* . 

6.2 A weak Black-Box Accountable Authority IBBE 

The idea of the scheme in section 3 applies to construct an IBBE scheme with 
short ciphertexts and accountable authorities. The syntax of accountable au- 
thority IBBE (A- IBBE) schemes extends that of IBBE systems in the same way 
as the A-IBE primitive extends IBE. The resulting construction goes as follows. 

Setup(A, N): is as in the Boneh-Hamburg IBBE but the algorithm chooses an 
additional random group element g$. The master public key thus consists of 
mpk = (g,gi = g a , g 2 , g3, z,h = g & ) while the master secret is msk = (a, a). 

Keygen( PKG ' U ) : the two parties conduct the following interactive steps. 

1. U picks t ai 9 ^- Is* and sends a commitment R = g^ ■ g e to the PKG 
and provides an interactive WI proof of knowledge of (t , 9) . 

2. The PKG outputs _L if the proof of knowledge is invalid. Otherwise, it 
picks r, t\ <^ Z* and returns 

K'\d — (K[,K' 2 , Tq,..., T' N _ 1 ,t\ D ) 

= H 1 ■ R ■ 93) a ■ z\ g\ h\ ■ h iDr , h r 2 ■ h^°- r , . . . , h r N ■ hj}°-{, h) 
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3. U picks r' 4- Z* and computes K\o = {K\,K 2 , To, ... , Tv-i, *id) , where 
= • z r ', K 2 = K' 2 - g r \ Ti = T[ ■ (h i+1 ■ h^ D f for indices 

i = 0, . . . , N — 1 and t\ D + t , so that 

K\ D = (Ki,K 2 , T , ... , Tjv-i, *id) 

= ((.9^ +tl • 33) Q • ftl" • V' D ' r ", • • • , K£ ■ hj}°f, to + h) , 

where r" = r + r' . Then, U checks whether d\o satisfies the relation 

e(Ki,g) = e(gi,g 2 ) t,D ■ e(#i, g 3 ) ■ e(z, K 2 ), 

and e(g,Ti) = e(K 2 ,h i+1 ■ hr m ) for each i G {0, . . . , N - 1}. 

Encrypt(mpk, S, to): to encrypt to g Gt for the receiver set 5 1 = { I Di , . . . , ID„}, 
where n < N, 

1. Expand G Z p [X] as 

P(X) = - ID,) = Pn X n + p^X^ 1 + ■ ■ ■ + Pl X + po. 

ies 

2. Choose s 4- Z* and compute 

C = (Co , C\ , C2 , C3) 

= (m-e( gi ,g 3 y, g s , (z ■ h p ° ■ h? ■ ■ ■ h^) s , e{ gi ,g 2 ) s ). 

Decrypt(mpk, K\o, C, S): parse C as (Co, Ci, C 2 , C3) and i-Tio as 
^id = (Ki,K 2 , T , ... , Tjv-i, t| D ) G G^ 2 x Zp. 

1. Expand P| D (X) G Z p [X] as 

flow = n ^- |D ^) = y1-\x n - 1 +y't-lx n - 2 +- • -+»r^ iD) 

ID 3 eS\{ID} 

and compute the decryption key 

(ID) (ID) (ID) 

(Ad,<Wid) = (K, ■ • T-? 1 • --T^i 1 , Jf 2 , t, D ) 

= ((92 ID -5 3 r-(^C-K 1 ---^") r , 5 r , *id). 

2. Recover the plaintext as 

to = Co • e(Ci, Ad)" 1 • e(C 2 , d, D ) • C* ID . 
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Trace D (mpk, ifio, e): given a valid private key K\d for the identity ID and a 
e-useful decoder D, the tracing algorithm proceeds in a similar fashion to 
previous schemes, by feeding D with ciphcrtcxts C = (Co, C\, C 2 , C3) and 
the receiver set S. In the generation of C, C\ and C 2 are calculated as 
specified by the encryption algorithm. On the other hand, C3 is chosen as 
a random element of Gt and C is obtained by applying the decryption 
algorithm to S and (C\, C 2 , C 3 ). 

Correctness is implied the fact that the decryption key (Z>| D , d| D , t !D ) satisfies 
the relation e(D ]D ,g) = e(g 1 , g 2 ) u ° ■ e(g 1 , g 3 ) ■ e(z ■ Y[" =0 h i\d ]D ) and raising both 
members to the power s as in previous schemes. 

To avoid repeating the work of Boneh and Hamburg, we prove the security 
properties of the above A-IBBE system by reducing them to the IND-sID-CPA 
security of the underlying IBBE. 

Theorem 9. The A-IBBE scheme is secure under the (N + l)-DBDHE assump- 
tion. More precisely, any IND-sID-CPA adversary against it implies an equally 
successful IND-sID-CPA attacker against the Boneh-Hamburg IBBE. 

Proof. We show that an IND-sID-CPA adversary A against the A-IBBE scheme 
gives rise to a "real-or-random" IND-sID-CPA adversary B (i.e., in which the 
adversary A outputs a single message m and has to decide whether the challenge 
ciphcrtext C* encrypts m or a random message) against the Boneh-Hamburg 
IBBE. Hence, the security of the latter implies the security of our scheme. 

When A chooses her set of target identities S* — {ID*, ... , ID**}, with n* < 
N, our adversary B forwards S* to her own challenger and receives a master 
public key mpk^ H = (g, 9l = g a ,g 2 ,z,h = g*). Then, B picks t*,(3 4- Z* p , 

computes 53 = g 2 l g^ and provides A with mpk = (g, g\, g 2 , gs, z, h). 

At any time, A may request an execution of the key generation protocol for 
an arbitrary identity ID ^5*. At the beginning of each such protocol, A sends a 
commitment R = gl° ■ g 6 and interactively proves knowledge of (to, 9), which B 
extracts by rewinding A. Then, B chooses t\ 4- Z*, sets t = to + ti and queries 
her own IND-sID-CPA challenger to obtain a private key 

^id = {k u k 2 ,f Q ,...,t N -i) = {g%-z r , g r , h r v h^ Dr , h r r h^°- r ,..., h r N -h N iD -{) 

for the identity I D chosen by A. The latter is turned into an A-IBBE private key 
and re-randomized by setting 

K ]D = (K u K 2 , To, . . . , Tjv-i) = ( 5 f • K?-**) ■ z r ' , 

kt n ■ g\ft n ■ (*i • v ID r\ • • • ,ftP ■ (h N ■ h-^f), 

where r' 4- Z*. The new key K\o is easily seen to have the same distribution as 
those obtained in step 3 of the key generation protocol. Finally, A obtains the 
"blinded key" K[ D = (K[ , K' 2 , Tq\ . . . , T' N _ X ), where K' x =K 1 -g\. 

In the challenge phase, A chooses a pair of target messages (mo, mi). The 
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adversary B chooses a random plaintext to* <— Gt, which she sends to her own 
"real-or-random" challenger. The latter replies with a challenge ciphertext 

C* = (C ,Ci,C 2 ) = (m- e(5i,32) s \ g s \ (z • C • /if ■■ ■/#*)'*)• 

for the receiver set 5* = {ID^, . . . , ID**}, where to is either to* or a random 
clement of Gt- The adversary B picks a random bit d <— {0, 1} and computes 
C = (C£,Ci,C 2 ,Co/m*) where C = m d ■ (C /m*)-** • e^Ci)" and C" is 
relayed to A as a challenge ciphertext. After a second series of key generation 
queries, A outputs a bit d! <E {0, 1}, and B outputs "real" if d! = d and "random" 
otherwise. It is easy to see that, if C* encrypts a random plaintext, then Co/™* 
can be expressed as Co/m* = e(gi,g2) s ~ s , where s* — log g ((7i) and for some 
s' ^ 0. In this case, we obtain that Cq = • e(<?i, <?3) s • e(gi,g2) s * statistically 
hides rrid (and thus Pr[<f = d] = 1/2) since .4 has no information on t*. In 
contrast, if C* encrypts to*, then C" is a valid encryption of m-d for the A- 
IBBE scheme, so that Pr[<f = d] = 1/2 + Advg ] |"™ D - sID - CPA (A), where the 
latter advantage function denotes the maximal "real-or-random" advantage of 
any IND-sID-CPA adversary against the Boneh-Hamburg IBBE. It comes that 
B's advantage in the rcal-or-random game is exactly Advg^ ND " sID_CPA (A). □ 

Lemma 4. In the selective-ID ComputeNewKey game and for a e-useful decryp- 
tion device B, the probability that an iteration of the tracing procedure increases 
ctr is at least pi > e — Adv[^ r 1 ^" DBDHE (A). 

Proof. Let us assume that, at the end of the selective- ID ComputeNewKey game, 
the dishonest user A outputs a device B for which a given iteration of the tracing 
procedure increments ctr with a probability pi, which is significantly smaller 
than e. Then, we show how to obtain an IND-sID-CPA adversary B against the 
Boneh-Hamburg IBBE. 

The adversary B plays the IND-sID-CPA game against a challenger C BH and 
plays „4's challenger in the selective-ID ComputeNewKey game. At the outset 
of the latter, A chooses a target identity ID* and B chooses her set of target 
identities as S* = {ID*}. When seeing the description of S*, the IBBE challenger 
C BH generates a master public key mpk BH = (g,gi,g2,z,h). Then, B chooses 
t*, (3 <— Z* and sets gz = g^ 1 ■ g 13 ■ The master public key of the A-IBBE system 
is defined as mpk = (g, gi, g 2 , 53, z, h) and given to A. 

Then, A starts making a number of key generation queries. For each key 
generation query involving an identity ID 7^ ID*, B proceeds by invoking her own 
challenger C BH , exactly as in the proof of theorem 9. When A queries a private 
key K\o* for the target identity ID*, B first rewinds the proof of knowledge so as 
to extract the pair (to, 9) such that R = gl° ■ g e in the commitment. Then, it sets 
t\ = t* — to (in such a way that t = to + ti = t*). In this case, B can compute 
an A-IBBE private key K\d* on her own (without having to query C BH ) as 

(K 1 ,K 2 ,T ,...,T N - 1 ,t lD *) = (<?? -z r , g r , (h, ■ h^) r , . . . , (h N -h^°[) r , **), 
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which is well- formed since g\ ■ g% = g 13 . Finally, B returns the "blinded key" 
Kid* = (ffi ' K U K 2 , T , . . . , TV-i, ii) to A. 

At the end of the game, A outputs a private key K\d* and a e-useful device 
for the identity ID*. In the tracing stage, B sends a random plaintext m* 4- Gt 
to C BH who replies with a challenge (Cfi, C*, C|), where Cg = m*-e(g\, g2) s and 
C\ — g s if C BH is playing the "real" game. On the other hand, if C BH decides to 
play the "random" game, QJ is random in G T . To construct a ciphertext for the 
A-IBBE scheme, B sets C3 = Cg/m* (which equals e(<7i, 52)" m the "real" game 
and e(<7i,g2) s j with s' 7^ s* in the "random" game), Ci = C* and C2 = C$- To 
compute Co, B chooses m <— Gt and calculates 

C =m-e(C 1 ,D iD *)-e(C 2 , d^)' 1 ■ (16) 

where (.Did*, ^id*, **) is the decryption key for the identity ID* and the receiver 
set S*, which is obtained from K\o* . 

If D returns the correct plaintext m, the distinguishcr B halts and outputs 
"real" (meaning that C BH is playing the "real" game). Otherwise, B outputs 
"random". In the former case, (Co, Ci, C2, C3) is a valid ciphertext for the 
receiver set S* = {ID*} and B returns 1 with probability e since D is a e- 
useful device. If C BH plays the random game, log g (Ci) 7^ ^ Se(g 1 .g 2 )(^'3) an d 
(Co, Ci, C2, C3) has the distribution of a ciphertext generated in iterations of 
the tracing stage. In this case, the probability that B returns the plaintext 
m is p\. By the definition of IND-sID-CPA security of the IBBE scheme, we 
must have e - pi < Adv B] |™ D " sID " CPA (A). Since the result of [10] implies that 

Adv B ™- sID - CPA (A) < Advg V G + 1) - DBDHE (A), the claimed result follows. □ 

Theorem 10. In the selective-ID ComputeNewKey game, any PPT adversary 
has negligible advantage assuming that the (N + 1)-DBDHE assumption holds. 

Proof. Again, the proof is similar to the one of theorem 4 and is omitted. □ 

As in previous schemes, as long as pirate devices are stateless, no dishonest PKG 
can create one that gets the tracing procedure to accuse the user and the result 
holds unconditionally. 

Theorem 11. In the information theoretic sense, no adversary has an advan- 
tage in the FindKey-CPA game. 

We remark that it is possible to re- write the description of our scheme of sec- 
tion 3 in such a way that its security properties can be reduced to the security 
of the first Boneh-Boycn IBE [5] (in the same way as we reduced the security of 
our A-IBBE to the security of the underlying IBBE). However, giving a proof 
from scratch allowed us to avoid rewinding as much as possible in section 3. It 
would be interesting to see if, in our A-IBBE, the number of rewinds can also 
be minimized by giving direct proofs under the (N + 1)-DBDHE assumption for 
theorem 9 and lemma 4. 

It is also noteworthy that other IBE-related primitives can be made account- 
able using the same technique. Due to their algebraic similarities with the "com- 
mutative blinding" IBE family, the "large-universe" attribute-based encryption 
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schemes described in [35, 26] can easily be tweaked to support accountability in 
the weak black-box model. 

7 Conclusion 

We described the first A-IBE system allowing for weak black-box traceability 
while retaining short ciphcrtexts and private keys. We also suggested a white-box 
variant that dwells secure against dishonest PKGs equipped with a decryption 
oracle. In the black-box setting, it remains an open problem to achieve the latter 
property without significantly degrading the efficiency. 

In the setting of hierarchical IBE schemes, it would also be desirable to see 
how the problem can be addressed. When a pirate decoder is found to decrypt ci- 
phcrtexts intended for a node, one should be able to determine which ancestor(s) 
of that node should be blamed. 
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A A Variant with White-Box FindKey-CCA security 

To achieve IND-sID-CCA2 security, we can hybridize the scheme using an au- 
thenticated symmetric encryption scheme (as defined in appendix B) as pre- 
viously considered in [37, 29] in the context of identity-based encryption. The 
obtained variant is reminiscent of a version of Gentry's IBE described in [29] 
and can be proved IND-sID-CCA2 secure in a completely analogous way. 

Setup: is the same as in section 3 except that the PKG now chooses two ele- 
ments Ya,Yb G instead of a single one Y. An authenticated symmetric 
encryption scheme (E, D) of keylength I s N, a secure key derivation func- 
tion KDF : Gt — * {0,1} £ and a target collision-resistant hash function 
H : {0, 1}* — > Z* are also needed. The master key is set as msk := x and the 
global public key is mpk := (X = g x , h, Y A , Y B ,Z, H, KDF, (E, D)). 

Keygen( PKG ' U ) : to obtain a private key for his identity ID, a user U interacts 
with the PKG as follows. 

1. U sends R = h to ■ X e to the PKG and proves his knowledge of the 
underlying pair (to, 6) <— (Z*) 2 in a witness indistinguishable fashion. 

2. The PKG outputs _L if the proof is incorrect. Otherwise, it picks random 
values r' A ,t AA ,r' B ,tB ^-1** p and returns 

d\ D ,A = (d A , 1 ,d A , 2 ,dU, 3 ) = ((Y.R.h t ^) 1 /*.(g iD -Zy'A, X r ' A , t A ,i) 

d\0,B = (4,1,^,2,^,3) = fa ■ h tB f /X ■ (9 ID • Zy'e, X r *, t B ) 

3. U computes d\ D ,A = {d' Ail /g e ■ {g ]D ■ Z) r ' A , d' A2 ■ X r ' A , d' A3 + 1 ) as well 
as d\o,B = {d' B i • (.9 ID • Z) rB , d' B 2 • X Tb , ds,3), for randomly chosen 
r" A ,r" B ^- Z* so that 

d\D,A = (d A ,i,d At2 ,d A , 3 ) = ({Y A ■ h tA f/ x ■ ( 5 ID ■ Z) r ' A , X rA , t A ) 
diD,B = (dB,i,dB,2,d B ,3) = ((YB-h t °) 1 / x -(g lD -Zy B , X TB , t B ) 

where t A = to + t A ,i, r A = r' A + r A and rs = r' B +r B . He checks whether 
d\o, A and d\o,B respectively satisfy 

e(d AA ,X) = e(Y A , g) ■ e(h, g) d ^ ■ e(g m ■ Z, d Aa ) (17) 
e(d B ,i,X) = e(Y B ,g) ■ e(h, 5 )^ 3 ■ e(g lD ■ Z, d B>2 ). (18) 
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If so, he sets his private key as (d\D,A, ^id,b) and the latter belongs to 
the family of decryption key identified by np = d,A,3 = Ia- 
Encrypt: to encrypt m given mpk and ID, choose s 4- Z* and compute 

C = (C l7 C 2 ,C 3 ,C 4 ) = (a s , (g* D -Zy, e(g,h) s , E K (m)) 

where K = KDF(e(g, Y A ) S ■ e{g, Y B ) KS ) and k = (d, C 2 , C 3 ). 

Decrypt: given C = (Ci, C 2 , C3, C4) and dip = (cZid.a, diD,s), compute the 
plaintext m = D#-(C4) (which may just be _L if C4 is not a valid authenti- 
cated encryption) using the key 

/ e(Ci,d A 1 • c?r , ) \ 
K = KDF[ — -— B /' . ) (19) 

with k = H(C 1 ,C 2 ,C 3 ). 

Trace: given an alleged private key (d\o,A, ^id.b), with d\o tA = {dAs,dA^,d A ,3), 
for an identity ID, check the validity of d\o w.r.t. ID using relations (17)-(18). 
If valid, the key is declared as a member of the family np = d$_A = tA- 

The proof of IND-sID-CCA security is omitted here as it is a standard application 
of the technique used in [29], which in turn borrows ideas from [30, 40, 27]. 

In the chosen-ciphertext scenario, the white-box FindKey security is no 
longer unconditional but relies on the (weak) ciphertext integrity property of 
the symmetric encryption scheme. 

Theorem 12. The scheme is FindKey-CCA secure assuming the security of the 
key derivation function and the (weak) ciphertext integrity of the symmetric en- 
cryption scheme. The advantage of an adversary A making at most qd decryption 
queries is bounded by 

Adv FindKey-CCA (v) < 2 . ^ . A^CT-INT^ 

+ 2. gd .Adv KDF (A,l)+ 2 ^ + <Zrf + 1 . 

P 

Proof. Given in appendix C. □ 



B Authenticated Symmetric Encryption 

A symmetric encryption scheme is specified by a pair (E,D), where E is the 
encryption algorithm and D is the decryption procedure, and a key space IC(£) 
where £ € N is a security parameter. The security of authenticated symmet- 
ric encryption is defined by means of two games that capture the ciphertext 
indistinguishability and ciphertext (one-time) integrity properties. 

Definition 6. A symmetric encryption scheme is secure in the sense of authen- 
ticated encryption if any PPT adversary has negligible advantage in the following 
games. 
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1. The IND-SYM game. For any PPT algorithm A, the model considers the 
following game, where I £ N is a security parameter: 



Game"" 5 ™ 



K A JC{t) 

(mo, mi, s) <— A(ftnA,£) 
d* 4- {0,1} 
c* <- E Ar (m d *) 
d <— _4(guess, s, c*) 

return 1 if = c!* and otherwise. 



>t's advantage is Adv^ u " bYM (i?) - | Pr[Game^ u - iYM = 1] - 1/2|. 

2. The CT-INT game. Let .4 be a PPT algorithm. We consider the following 
game, where t £ N is a security parameter: 



Game 



CT-INT 



K A- K{£) 
(to, s) <- „4(find,£) 
c <— Ex(m) 
c' <— yl(create, c) 
return 1 if c' ^ c and D K {c') ^± 
otherwise. 



A's advantage is now defined as Adv^- ,NT {£) = Pr[Game^ lm = 1]. 



, CT-INT 



The notion of weak ciphertext integrity is defined in the same way but the 
adversary is not allowed to see an encryption c under the challenge key K. 



C Proof of Theorem 12 



The proof proceeds with a sequence of two games, in which S% denotes the event 
that the adversary A wins during Gamc^ with i £ {0, 1}. 

Gameo: is the FindKey-CCA experiment. The dishonest PKG A generates the 
master public key, chooses an identity ID that she wishes to be challenged 
upon. She interacts with the challenger in a key generation protocol, upon 
completion of which the challenger B obtains a decryption key consisting of 

two triples dg] A = (^,i (1) ,rfA,2 (1) ,rfA,3 (1) ), dg] B = (d B4 (1) , d s , 2 (1) , d B / r) ) 
that should pass the key sanity check (otherwise, B aborts). At this stage, A 

knows t^g — dg 3 but has no information on = or on the values 

ta = ^og x (d A 1 2) an d r B = l°gx(^B 2) (by the construction of the key gener- 
ation protocol). In the next phase, A starts making a number of decryption 

queries that the challenger handles using {d\^ A ,d\^ B ). Namely, when queried 
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on a ciphertext C = (Ci, C2, C3, C4), £> calculates 



where n = H (C\, C 2 , C3), K — KDF(ip) and m — Dk(C 4 ) which is returned to 
A (and may be _L if C is declared invalid). 

1 (2) (2) ( 2 } 

At the end of the game, A outputs a key (d\ D A , d\ D B ) and wins if d\ D A parses 

into (d AA {2 \d A ^ 2 \d A ^) such that d A , 3 (1) = t£ } = = dA,3 (2) - 

We note that decryption queries on well-formed ciphertexts do not reveal any 
information to A (since all well- formed keys yield the same result). We will show 
that, provided all ill-formed ciphertexts are rejected by B, A still has negligible 
information on in the end of the game. For convenience, we distinguish two 
types of invalid ciphertexts: type I ciphertexts (Ci, C 2 , C3, C4) are such that 
log x (Ci) 7^ log^ (id)(C2) (and can be told apart from valid ones by checking if 
e(Ci,F(\D)) ^ e(X,C 2 )), where F(ID) = g iD -Z, whereas type II ciphertexts are 
those for which log x (Ci) = log F( | D) (C 2 ) ^ log e(g h) (C 3 ). 

Gamei: is as Gameo but B rejects all type I invalid ciphertexts (that are pub- 
licly recognizable). Such a malformed ciphertext comprises elements C\ = X Sl , 
C 2 = F(\D) S ^- S 'i and C 3 = e(g, h) s i- s " where si > and s'{ > 0. Hence, the 
symmetric key K that B calculates is derived from 

?/> = e(. 9 , rj 1 - Y£ S1 ) ■e(F(\D),X) s '^ rA+Kr ^ ■ e{g,h) s " {t ^ +^ { b) (20) 

where k — H (C\, C 2 , C3). Upon termination of the key generation protocol, A 
has no information on r A , tb (as B re-randomizes its key) . Even if k was the 
same in all decryption queries (which may happen if these queries all involve 
identical (C\, C 2 , C3)), the second term of the product (20) remains almost uni- 
formly random to A at each new query. Indeed, for each failed one, A learns 
at most one value that is not r A + nrs- After i attempts, p — i candidates 
are left and the distance between the uniform distribution on Gt and that of 
e(F(ID), X) Sl ^ VA+K - rB "> becomes at most i/p < qa/p- Then, the only way for A 
to cause the new rejection rule to apply is to forge a symmetric authenticated 
encryption for an essentially random key K. A standard argument shows that, 
throughout all queries, the probability of B not rejecting a type I ciphertext 
is smaller than q d ■ (Adv CT " INT (£) + Adv KDF (A,^) + q d /p). It easily comes that 
|Pr[5x] - Pr[S„]| < qa ■ (Adv CT " INT (A) + Adv KDF (A, I) + q d /p). 

We now consider type II invalid queries. While A knows tg\ she has initially 
no information on and the last term of the product (20) is unpredictable 
to her at the first type II query. Each such rejected query allows A to rule 
out at most one candidate as for the value t A \ After i < q d unsuccessful type 
II queries, she is left with at least p — i candidates at the next type II query, 
where the distance between the uniform distribution on Gt and that of ip (cal- 
culated as per (20)) becomes smaller than i/p < q d /p. Again, one can show that, 
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throughout all queries, the probability of B not rejecting a type II ciphertext is 
at most q d ■ (Adv CT " INT (^) + Adv KDF (A, I) + q d /p). Let us call type-2 the latter 
event. If all invalid ciphcrtexts are rejected, „4's probability of success is given 
by Pr[5ihtype-2] < l/(p - q d ) < (q d + I) /p. Since 

Pr^i] = Pr[5i A type-2] + Pr[5i A ^type-2] 

< Pr[type-2] + Pr[Si|-.type-2]Pr[->type-2] 

< Pr[type-2] + Pr[Si| -.type-2] 

< q d ■ (Adv CT - |NT W + Adv KDF (A, I) + «*) + ?*±1 

p p 

and |Pr[5 ] - Pr[Si]| < q d ■ (Adv CT " INT (A) + Adv KDF (A,^) + q d /p), the claimed 
upper bound follows. □ 
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